Login Sign Up

CVE-2025-63740

4.3 MEDIUM
SQL Injection Authentication Bypass

📋 TL;DR

This SQL injection vulnerability in Xinhu Rainrock RockOA 2.7.0 allows attackers to execute arbitrary SQL commands via the actstr parameter in the getselectdataAjax function. Attackers can extract sensitive information including administrator credentials, password hashes, and database structure. Organizations running RockOA 2.7.0 are affected.

💻 Affected Systems

Products:
  • Xinhu Rainrock RockOA
Versions: 2.7.0
Operating Systems: All platforms running RockOA
Default Config Vulnerable: ⚠️ Yes
Notes: The vulnerability exists in the default installation of version 2.7.0.

📦 What is this software?

Rockoa by Rockoa

View all CVEs affecting Rockoa →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to credential theft, data exfiltration, and potential lateral movement to other systems.

🟠

Likely Case

Extraction of administrator credentials and sensitive business data stored in the database.

🟢

If Mitigated

Limited information disclosure if database permissions are properly restricted and input validation is enforced.

🌐 Internet-Facing: HIGH - Web applications with SQL injection vulnerabilities are prime targets for automated attacks.
🏢 Internal Only: MEDIUM - Internal attackers could still exploit this to escalate privileges and access sensitive data.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

SQL injection vulnerabilities are commonly weaponized in automated attacks. The GitHub issue shows exploitation details.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://github.com/rainrocka/xinhu/issues/13

Restart Required: No

Instructions:

1. Monitor the GitHub repository for patches. 2. Apply any available security updates. 3. Review and sanitize all user inputs in the application.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement proper input validation and parameterized queries for the actstr parameter.

Modify inputAction.php to validate and sanitize actstr parameter before processing

Web Application Firewall (WAF)

all

Deploy a WAF with SQL injection protection rules.

🧯 If You Can't Patch

  • Implement network segmentation to isolate the RockOA server from sensitive systems
  • Enable detailed SQL query logging and monitor for suspicious database activity

🔍 How to Verify

Check if Vulnerable:

Test the getselectdataAjax endpoint with SQL injection payloads in the actstr parameter.

Check Version:

Check the RockOA version in the application configuration or admin panel.

Verify Fix Applied:

Verify that SQL injection payloads no longer execute and return error messages.

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL queries in database logs
  • Multiple failed login attempts from single IP
  • Requests with SQL keywords in actstr parameter

Network Indicators:

  • HTTP requests containing SQL injection patterns to inputAction.php

SIEM Query:

source="web_logs" AND uri="/inputAction.php" AND (actstr CONTAINS "UNION" OR actstr CONTAINS "SELECT" OR actstr CONTAINS "--")

📊 Metadata

CVE ID: CVE-2025-63740
CVSS v3 Score: 4.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CWE: CWE-89
EPSS Score: 0.03% exploit probability (8.3th percentile)
Published: December 9, 2025
Last Updated: December 12, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-63740, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)